1dfcce1ce83f53c469c4e45cccd2a372a2bb97d7e3992f92161314a4c33e57e1

General

Target

0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe
Size

3.5MB
MD5

22de181249b690fe72765d7ea88261aa
SHA1

74bef0075a62ab823ecd3218c83d44e5b878b99a
SHA256

0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee
SHA512

f4ae5196c921e9becf8837b84af2f86153c7d99fb54da6d8453ebdeb53509f9be02a288c0c26ab2340ace94fbaa351302425164febd928b02fdeaaa2302123f2
SSDEEP

49152:b/beXS0wKk0PlMb79rofRV649W3gHCPCOLnlDoftbvDGxhrIASdNmYU7ex:LbQwKpPiCWltPC6MftbrGXNMNF

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TemplatesWindowsHolographicDevices-type1.6.3.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TemplatesWindowsHolographicDevices-type1.6.3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TemplatesWindowsHolographicDevices-type1.6.3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TemplatesWindowsHolographicDevices-type1.6.3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	TemplatesWindowsHolographicDevices-type1.6.3.0.exe
2772	TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3020	icacls.exe
1556	icacls.exe
3832	icacls.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0004000000000739-149.dat	upx
behavioral2/files/0x0004000000000739-150.dat	upx
behavioral2/files/0x0004000000000739-151.dat	upx
behavioral2/memory/4544-153-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/memory/4544-154-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/memory/4544-155-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/memory/4544-156-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/files/0x0004000000000739-157.dat	upx
behavioral2/memory/2772-158-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/memory/2772-159-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/memory/2772-160-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx
behavioral2/memory/2772-161-0x00007FF696540000-0x00007FF696A5F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TemplatesWindowsHolographicDevices-type1.6.3.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 3348	4508	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	82

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
216	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3348	4508	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	82
PID 4508 wrote to memory of 3348	4508	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	82
PID 4508 wrote to memory of 3348	4508	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	82
PID 4508 wrote to memory of 3348	4508	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	82
PID 4508 wrote to memory of 3348	4508	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	82
PID 3348 wrote to memory of 3020	3348	AppLaunch.exe	85
PID 3348 wrote to memory of 3020	3348	AppLaunch.exe	85
PID 3348 wrote to memory of 3020	3348	AppLaunch.exe	85
PID 3348 wrote to memory of 1556	3348	AppLaunch.exe	87
PID 3348 wrote to memory of 1556	3348	AppLaunch.exe	87
PID 3348 wrote to memory of 1556	3348	AppLaunch.exe	87
PID 3348 wrote to memory of 3832	3348	AppLaunch.exe	89
PID 3348 wrote to memory of 3832	3348	AppLaunch.exe	89
PID 3348 wrote to memory of 3832	3348	AppLaunch.exe	89
PID 3348 wrote to memory of 216	3348	AppLaunch.exe	91
PID 3348 wrote to memory of 216	3348	AppLaunch.exe	91
PID 3348 wrote to memory of 216	3348	AppLaunch.exe	91
PID 3348 wrote to memory of 4544	3348	AppLaunch.exe	93
PID 3348 wrote to memory of 4544	3348	AppLaunch.exe	93

C:\Users\Admin\AppData\Local\Temp\0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe
"C:\Users\Admin\AppData\Local\Temp\0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3020
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3832
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0" /TR "C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:216
- - C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe
    "C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:4544

C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe
C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Filesize
648.0MB

MD5
9a2826cd6c7c445df1bf5ff1e088edf1

SHA1
63ff9220d7e3321406f2ef3ba398ab8bfe8f00a3

SHA256
6b03f0ec9209220cb94f3588f4acaaacb2a02a7a4d11af8c63f0bdc0c4493484

SHA512
850f063d1593a2aadcff1315cf80961bc7ca38e75b80ce396bd6f3cbecc88c3fb12eba2f576e4efaa61ee1fdae2a5e140c5308874bcb6e17016d70c15f317b98

Download Submit
C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Filesize
642.2MB

MD5
ad7cc23c326e7cd80d8cd7f4cc54a00f

SHA1
72509ab5ef2c996542eee87878655f2947fcbef1

SHA256
bbf74d074839fccca8cb2ad026be2bb2a8e1b4cc3e837b38818a4285beb5e119

SHA512
593a73b9bd3fa4fdbe584a9828f5e02cfe121e10f85f723205fa3face3de8ebad33ebd01670f0782fe5b19d5896d0a6f0a5278ad218db91532ecfaa82b2238b0

Download Submit
C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Filesize
662.8MB

MD5
f302b222ff6d11cbdb16f14a389072a6

SHA1
85b45e2e5d6e4be3b2c69161552b62101bdda238

SHA256
ab0f5d5b4c39e53fe811199f95c0edfce3e478cf0f75438e736fcf25ba58a432

SHA512
206cd4c771b8f2984a423f446327a431d6e4eeb0c3c4f78b29580fd5c99a2b4631e41a3cbfd592bb4ce04dd9dd87d7eacb522ba10b2ef3491d94a0da3837bfae

Download Submit
C:\ProgramData\TemplatesWindowsHolographicDevices-type1.6.3.0\TemplatesWindowsHolographicDevices-type1.6.3.0.exe

Filesize
214.0MB

MD5
d83453c6691694bbdc9a498ef86bae8f

SHA1
f08cfb4840fdb1c3a007c83c7812647e8f15dff9

SHA256
4810db27e757813729ec4ebf91dee5ca41fa04e092e0df5a694685b4d6ed31e2

SHA512
d8999e1d506b941f42899ac4d68438d1e2dbdb2f6c115e7945e4633d0725a28924ab61deb2fcdcef69116b979101ee2ea5f364482afcd9978e838f00d46d6e49

Download Submit
memory/2772-158-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/2772-161-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/2772-160-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/2772-159-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/3348-140-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/3348-139-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3348-138-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/3348-133-0x0000000000500000-0x000000000085C000-memory.dmp

Filesize
3.4MB

Download
memory/3348-141-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3348-144-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3348-143-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3348-142-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4544-153-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/4544-154-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/4544-155-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download
memory/4544-156-0x00007FF696540000-0x00007FF696A5F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads